Friday, February 26, 2010

FTC: Beware P2P Breach

The Federal Trade Commission is warning 100 companies and organizations that their data has been compromised by P2P software. According to the FCC press release data on both employees and customers is involved.

The release also indicates that the breach is not because of any new exploit, but because of poorly configured P2P clients. Some P2P clients, like Limewire, set a specific share folder and only make files in that folder available to the network by default. Others share the entire hard drive by default. If you are using a client that shares the entire drive by default and don't set it to only show one specific folder, anything on your HD can be seen and downloaded by anyone else on the network.

This is nothing new, but it is obviously something that is still relevant. FTC Chairman Jon Leibowitz said,
“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft,”

I remember being amazed at what I could find with gnutella way back when. Sadly, it's not surprising that more than a decade since I first noticed really neat stuff that obviously shouldn't be on a P2P network the neat stuff that shouldn't be there still is. P2P is really neat, and really useful (not just for sharing music). But if you are a business, and you use P2P, or one of your employees decides he needs to use P2P on his work computer and it shares the wrong folder or the whole drive you could find yourself in violation of laws such as the Gramm-Leach-Bliley Act or HIPAA. As an individual, you know that Quicken or Microsoft Money file that has all of your banking info and can connect to your bank account? Your neighbors 14 year old in now has access to all your money. And all he wanted was music.

The FTC isn't just talking about the users of P2P software. The say that it's just as important that companies who "distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing. The easy way to do that is to have the P2P software's default setting "share this folder." And that's what you need to do if you are developing P2P software.

Thursday, February 25, 2010

British growing leary of government spying

More fallout from PlainsCapital vs Hillary Machinery

Last week Hillary Machinery filed it's counter to PlainsCapitals lawsuit. The PlainsCapital suit seeks nothing from Hillary (other than legal fees and court costs), but wants a judge to rule that PlainsCapitals security measures were commercially reasonable at the time of the bogus transfers. Hillary is seeking the return of the unrecovered monies and legal costs.

Most of the security community, or the most of the portion making their opinion known, seem to believe Hillary is in the right. But not everyone is ready to pick a side just yet. Benjamin Wright, an expert in data security and cyber investigations law has pointed out in his blog that we only have Hillary's side of things, so until PlainsCapital has it's say, any conclusions we come to are speculation.

But as things have developed, PlainsCapital's say may be too little, too late. Hillary has not stood still and has not played the quiet game. They have told their story loudly to anyone willing to listen, and it is a compelling story. Even if PlainsCapital had security measures in place that Hillary hasn't mentioned, the Banks reputation has been tarnished, and this incident will probably pop up when least expected for years to come. And regardless of who wins, both litigants will probably both find the way they handle financial transfers changed forever when this is over, because real fallout from this whole event is not going to hit just PlainsCapital or Hillary Machinery. It could change the way banks do business, and that will affect anyone who deals with banks. reports that at next weeks RSA Security conference Authentify, Inc. (who are consulting with Hillary) will be asking security professionals to sign a petition to Congress in an effort to force banks to establish better security for business customers. I don't think anyone wants more government regulation, but the fact is that what happened to Hillary Machinery and PlainsCapital isn't unique, or even unusual, even if the lawsuit is. Apparently small and medium size banks haven't done anything to correct the situation. With the attention of Washington being called to it, the government probably will.

Wednesday, February 24, 2010

Facebook giveth, and Facebook taketh away

As we become more social on the Internet, it is inevitable that the online world have more, and more influential interactions with the physical realm. And sometimes that interaction can be quite amusing. Take these two stories:

Facebook Bullies SNL

It seems that the fame of Superbowl advertising combined with a fanbase spanning 3/4 of a century - some of them aware of the power of online social networking - can lead to a gig hosting Saturday Night Live. On "an Improvised Blog" Jason Chin reports that SNL may have Betty White host, or co-host, a "Women of comedy" night. And according to an article he links to on Entertainment Weekly, it's at least partly because of the Facebook group, Betty White to host SNL (Please?)! Quite an accomplishment for a Facebook group - not only to be noticed by, but to influence guest host choices for SNL. And for the worthy cause of having Betty White host the show.

But it's not all happiness and light:

Nickelback Loses Facebook Popularity Battle To Random Pickle

It seems that Nickelback's reputation on Facebook is in a bit of a pickle. Or has been pickled, or something. reports that a woman named Carol Anne decided she could one-up Nickelback and created the “Can this pickle get more fans than Nickleback?” fan page. She started the group on February 3rd, and on February 19th - just over 2 weeks - she topped Nickelback's 1,428,801 fans. As of 12:00am February 24th, the pickle has 1,478,755 fans.

What does this have to do with privacy and security? Nothing, directly. It's more of something to provoke thought. The Betty White to Host SNL (Please?)! page was started around January 29th and gathered 400,000+ fans in roughly 3 weeks. It apparently influenced SNL to consider Betty White as a host, and has actually generated more interest and hype than her official Facebook page.

The Pickle that beat Nickelback's Facebook fans garnered enough fans in two weeks that, if it were to record an album and sell 1 copy to each of it's fans it would have a platinum album. If only slightly  more than 1/3 of it's fans were to buy, the album would still be gold.

In a sense these are extreme cases - but looked at another way, they are atypical, but not extreme at all. Online social networks can be used to create change, something entertainers have vaguely realized for some time, and something that no politician has really gotten until Barack Obama's campaign. The Internet made communication and collaboration between universities and corporations easier. The World Wide Web made it possible for the common man to quickly and cheaply made his voice heard, and social networking has made it possible to ignite worldwide passion for a cause in less time than it took for Paul Revere to ride from Boston to Lexington in 1775.

This isn't bad, and it isn't good. It just is. How we handle this new power to mold and shape opinion determines the good or bad of it. It can be used for good - look at all the aid for Haiti generated through Facebook, Twitter and other social networks, not to mention all the websites that facilitate donations for Haiti relief. Look at families who haven't seen each other for years reunited. But look also at the careers ruined because of careless or malicious posts online and the predators who use the web as their playground.

What I'm trying to say, and what I want people to do when they're online is, think about what you're doing and what it may lead to. You may still decide it's the best course, but at least you won't get caught flatfooted if it blows up on you.

Tuesday, February 23, 2010

Big Brother's on the way

Fosters.coms Aaron Sanborn reports that in Dover, NH the police are going to be installing 23 cameras in various public buildings. The cameras aren't going to be constantly monitored but will be used to provide evidence in the case of crime. Sanborn talked to Dover Police Chief Anthony Colarusso.
"In general the security cameras are a deterrence that will hopefully prevent anything from happening," Colarusso said. "If people know a camera is in a certain area, they may be less likely to commit a crime."

Really? How many bank robberies occur every day in the U.S.? Are they more or less per capita than they were before the advent of cameras? Is there any evidence that they really are deterrent?

Well, the answer to that is a resounding "?".

Some studies show the cameras to be effective, some show them to be ineffective. Some show them to be effective, but closer study shows camera installation coincided with increased patrols - so which was the bigger deterrent? The questionable track record combined with the expense to setup and maintain and the privacy concerns of cameras should weigh heavily in the consideration of any camera deterrent program. But it doesn't. The appearance of doing something often trumps all other considerations.

For a very good article on "Police Cameras" check out the article at Or you can check out my original post on the subject - it says much the same thing, but has even more supporting links.

Monday, February 22, 2010

Jamere Holland latest facebook casualty

If you're like me, you may not know who Jamere Holland is. The former Oregon Ducks receiver was kicked off the team for his strong statements on Facebook. From a curse laden tirade regarding the booting of Kiko Alonso  as reported by Buster Blogger Brad Young to a statement reported in the Ducks Beat Blog regarding having white people as Facebook friends, Mr. Holland provides a prime example of not thinking before posting on his Facebook page. And he also needs to change his privacy settings. I'd never heard of Jamere Holland until today, but I was able to go to his Facebook page and take a screenshot of his wall:

[caption id="attachment_1061" align="center" width="500" caption="How to make and influence Facebook friends"]Jamere makes friends and influences people[/caption]

I don't know, but I see more than one thing that probably shouldn't have been said. And Mr. Holland is paying a price for his outburst - an outburst that was at least premature, since the friend he was defending had not been kicked off the team. How this will affect his future, both on and off the field, probably won't be very obvious for a long time, but in the short term, he's provided one more example of how a short temper and a Facebook page can put you in hot water.

Friday, February 19, 2010

School administrations are not police

Just days after telling you about the student who successfully sued her school for violating her free speech rights when they punished her for her Facebook page we see a new lawsuit filed, this time alleging invasion of privacy by school officials. If true, it is truly a case of school officialdom run amok.
In the Lower Merion School District each high school student was issued a laptop to improve and engage the students more fully in their education. The laptops were equipped with webcams and had software installed on them that allowed the webcam on a stolen laptop to be activated remotely, sending a still picture of whoever was using the laptop back to the school.

That's all well and good, but the students and their parents were not informed of this feature. Even that might not have been a big deal, but in at least one instance a picture was taken of a student whose laptop had not been stolen. And the student (and his family) learned of this when an assistant principal called the boy into the office and informed him that he was engaged in inappropriate activity at home. For proof he produced the picture taken using the webcam.

One has to wonder how many photos were taken, and showing what. The school had no right to be taking pictures of the students. Even if they thought the student was involved in something illegal, they had no right to activate the camera. Even the police would have had to prove probable cause to a judge and gotten a warrant.

Thursday, February 18, 2010

It's not a joke. Do you use one of the numerous services that let you tweet or otherwise post your location for the world to see? searches twitter and posts the tweets that give away the tweeters location.

It's not as nefarious as it sounds (or as it could be). The site was developed by three guys to demonstrate that we have some very bad habits, security-wise. The actual address data appears to be substituted with data from lands far away from the original poster. But that doesn't change the fact that large numbers of people are making their locations known. And part of knowing where you are is knowing where you're not. Which is exactly the information a burglar wants. Not to mention stalkers, psycho exes and assorted crazies.

Do you tweet your location? How often have you said something like, "Going to the game, hope we win. Go Tech!" How many hours would that give a crook to burglarize your home?

Wednesday, February 17, 2010

Just a quick Google Buzz observation

A coworker of mine received a buzz on his cell phone, It was a comment by a guy he didn't know. Ok, that's what Google Buzz does. The neat (or scary if it was unintentional) thing is that along with his buzz was his location overlaying Google Maps. And it actually gave the name and address of his apartment complex! It's really neat, but if you read my old blog you may recall my concern about similar fun things in the past that used Twitter and Facebook to allow friends (and others) to track your whereabouts. Great stuff for stalkers. Enjoy your social internet, but be careful what you're letting people know.

Facebook speech protected (sometimes)

Katherine Evans probably wasn't thinking about being part of a landmark case in online Free Speech when she created her Facebook rant against a teacher in 2007. She didn't keep it up long - apparently she was one of the few who didn't like the teacher - but the principal took exception anyway, took her out of her advanced placement classes and suspended her for three days.

In todays Miami Herald Hannah Sampson reports that a Magistrate Judge Barry Garber ruled that the Facebook page falls under the umbrella of Free Speech:
``Evans' speech falls under the wide umbrella of protected speech,'' Garber wrote. ``It was an opinion of a student about a teacher, that was published off-campus, did not cause any disruption on-campus, and was not lewd, vulgar, threatening, or advocating illegal or dangerous behavior.''

This is a very good ruling, in my opinion. The judge recognizes that the schools cannot, and should not, be able to dictate students life off campus. But at the same time it recognizes that there may be cases that Facebook or other online speech would not be protected.

As the internet continues to mature and governments start putting more effort into taming this beast cases like this one will define what we can and can't say online. And in the era of social media, what we can say online will be a defining factor in having a free society.

Tuesday, February 16, 2010

Google's Buzz: Sign of things to come?

Last week Google announced their first foray into the social networking battlefield. Termed Google Buzz, it immediately generated huge amounts of, for want of a better term, buzz. Of course, most of the initial buzz was about the horrid default privacy settings. I don't know if anyone actually lost their job or their marriage, but the way Buzz shared information definitely made such a result possible.

Google quickly responded to the hue and cry, but the real surprise wasn't that Google responded quickly and changed the default settings, it's that they made the mistakes in the first place. How could a savvy company like Google repeat the mistakes made by Facebook? And not only repeat, but expand on them. An article on Tech News World, "Google Buzzes Privacy Breach is a Sign of Things to Come" suggests that Google planned it that way. Not only that, but that opening services with wide open privacy settings, then pulling back only as much as public outcry demands will probably become the norm for social networking rollouts.

As much as I'd like to disagree with that, it rings true. Google, like Facebook, doesn't make money directly off it's users. It makes money off of their data and ad revenue. As new social sharing sites come along, they will probably use the same basic methods to make money. And they will probably use the same methods of getting as much data as possible from their users. Put it all out and when the users scream, step back only as far as absolutely necessary.

That's not acceptable. It should be standard practice to put out no information and give the user the option of putting out as much as he wants.

Monday, February 15, 2010

The lighter side of data breaches

Apparently a Swiss bank has been the victim of a data breach. Erik Kirschbaum reports through Reuters that German tax dodgers are running scared after data breach. The report says that which bank it was is unknown, but the German government seeing a huge increase in the number of tax dodgers turning themselves in. There is a good reason it's happening. German tax law says that a tax dodger can avoid prosecution if he turns himself in before the government starts to investigate him.

It seems there are a lot of German tax evaders with money in Swiss banks. But they may not have even noticed if the German government wasn't willing to pay 2.5 million Euros for the data. Which allows great quotes like this:

"There's been a delightful rise in tax compliance," said Daniel Abbou, spokesman for the finance department in the city of Berlin after 74 people volunteered this week to pay back taxes on previously undeclared income.

Great stuff.

Friday, February 12, 2010

Obama = Bush

Now that I've got your attention, yes, I mean that. When it comes to citizens privacy rights, I can see no discernable difference between their administrations. Obama is continuing the national phone monitoring that was started by the Bush Adminstration. A program that is unconstitutional and does little if anything to benefit national security.

If that wasn't bad enough, last night I saw two articles talking about a case being argued today in Philidelphia. The first was at and was pretty short. The headline says it all:
The Government Can Monitor Your Location All Day Every Day Without Implicating Your Fourth Amendment Rights

The second was an opinion piece by Catherine Crump at the Philadelphia Enquirer. It began with,
"If you own a cell phone, you should care about the outcome of a case scheduled to be argued in federal appeals court in Philadelphia tomorrow. It could well decide whether the government can use your cell phone to track you - even if it hasn't shown probable cause to believe it will turn up evidence of a crime."

The Obama administration is asserting that U.S. citizens have no reasonable expectation of privacy when it comes to their cell phones. This premise comes from the "third party doctrine." The third party doctrine is controversial to say the least, and in the modern age the equivalent of completely removing all Fourth Amendment protections without the pesky need to actually repeal it.

The third party doctrine says that once you knowingly give information to a third party you lose the right to the Fourth Amendment protections. Just to help keep things clear, the Fourth Amendment says:
Fourth Amendment – Protection from unreasonable search and seizure.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The third party doctrine is based on the premise that, since the phone company, your ISP, and any other company you may give data to is not within the four walls of your home or on your person, that data is no longer protected by the Fourth Amendments clause against unreasonable searches and seizures.

Forget whether or not you are doing anything illegal. Under the third party doctrine the government can subpoena your browsing history from your ISP without having to prove probable cause. Anything you put on Facebook (not that Facebook is private), and possibly even anything you backup to Carbonite or other online backup service.  I say possibly to the backup services because they are usually encrypted, so a "reasonable expectation of privacy" can be argued. The same can't be said for email, cell phones, text messages or almost anything sent over the internet.

I don't know about you, but almost everything I do that doesn't involve direct, face to face communication goes through a third party before reaching it's destination. There is almost nothing I do that the government can't look into for no other reason than curiosity using the third party doctrine. Knowing the history of the American colonies and the revolution, I know the founding fathers never intended the government to have that kind of power.

Thursday, February 11, 2010

Better secure that wireless

A recent post by Thomas O'Toole of the Ecommerce and Techlaw blog reports that a federal court in Oregon has decided that if your network is not secured, you have given up your right to privacy. So, according to the judge evidence taken from the defendants computer was admissable, even though the sheriff searched without a warrant - because he accessed the computer over the open wireless network in the defendants home.

With no more information than that, I would say the defendant, John Henry Ahrndt, was right. But there is a lot more to tell. Mr. Ahrndt had an unsecured network, sharing a folder using limewire, and sharing his iTunes library. A neighbor often had trouble with her internet connection, and her modem would automatically pickup Mr. Ahrndts network and connect to it. One day she noticed a shared iTunes library, also with no password. She looked at it, saw some things that looked wrong to her, and reported it. A sheriff's deputy responded, and she repeated what she had done before. Based on what was found, a series of warrants were issued that culminated in seizing the defendants router, computer and a variety of storage devices.

O'Toole has no problem with the decision. He doesn't believe it breaks any new ground. Mike Masnick at Techdirt disagrees. He is concerned because having an open wireless network appears to mean you have surrendered your right to privacy on your computer.

I read the decision, and it appears to be completely in line with similar decisions regarding technologies like cordless phones and cell phones. And I can't really find any fault with it. Not only is the decision in accord with similar cases regarding analogous technologies, the judge explicitly states that having an open wireless network does not, by itself, remove your constitutional privacy protections:
Society's recognition of a lower expectation of privacy in unsecured wireless networks, however, does not alone eliminate defendant's right to privacy under the Fourth Amendment. In order to hold that defendant had no right to privacy, it is also necessary to find that society would not recognize as reasonable an expectation of privacy in the contents of a shared iTunes library available for streaming on an unsecured wireless network.

I can't speak for society, but for myself the combined facts that the guy was running an unsecured wireless network and broadcasting a shared, unprotected iTunes library on it pretty much removes any right to privacy on his computer. Claiming invasion of privacy in such a case is kind of like building a glass house, not putting up curtains and complaining if someone sees you naked.

I might feel differently Mr. Ahrndt were not a convicted sex offender and the evidence gathered wasn't pictures of children as young as five. But I doubt it.

[This is the second time I've had a post not publish when it's supposed to. What's going on?]

Wednesday, February 10, 2010

Home shopping by remote-pleasure or pain?

The Home Shopping Network (HSN) has a nifty little tool for those of us who don't have a computer and just don't want to be bothered with a phone call - and who have Dish Network. It's called Shop by Remote (SbR). A report by Michael Finney on KGO-TV San Francisco details a security flaw in the SbR system. According to the story, all you have to do is enter a little information and your address and credit card info will just pop up. The reason your information pops up is because you have to have an account with Home Shopping Network to use Shop by Remote. As you type information it is compared to info in their database. When there is enough to positively identify you, it pops your data up on the screen.

They were right about there being no security. HSN's SbR info page says that you have to have an HSN account, but really doesn't give any other information. Except for an 800 number to call if you have any other questions or wish to sign up. Well, there's an 800 number for questions, so I called it.

It was a very disappointing call. When I asked about security, I was told, "You have an account number that no one else knows."

So if anyone does get your account number, there is nothing else to protect you. And if you enter the right information into SbR, the system pops up your name, address and credit card number on the TV screen. So it appears if I can locate an HSN account number that is tied to SbR I can get the account holders name, address and credit card numbert. I asked about usernames and passwords again and was told that if I didn't trust Shop by Remote, I could just give the information to her to make the order.

Shop by remote is a pretty neat idea, but one that is far too insecure. Account numbers are often easy to find. Without some other type of authentication you might even find yourself victimized by a crook using a random number generator - all he needs is the format of HSN account numbers. So I told the associate that I wasn't interested, and hung up.

You can't use a credit card without making it possible that some one may steal your info. But Home Shopping Networks Shop by Remote makes it easy. Stay away until they add some security to it.

Tuesday, February 9, 2010

Our Changing Facebook

Facebook has decided to rearrange the home page, and I'm seeing a lot of complaints. Some are funny, some are whiny. My favorite is "Let's tell yo-mamma jokes about the new Facebook layout."

Myself, I don't have a problem with it. I like having a logout button rather than going to a menu, but other than that, it's ok. What is more interesting to me are the requirements Facebook is enforcing on third party advertisers. The policies have been in place for months, but Facebook recently spelled them out again, and is now requiring advertisers to agree to them. In his February 3rd Inside Facebook column, Eric Eldon gives a synopsis of the new requirements. But put simply, the reuirements boil down to, the ad providers will strictly adhere to Facebook guidelines regarding gathering, holding, and disseminating Facebook user information. They will also provide information to Facebook on their employees and just about any other information Facebook asks for. There are several other requirements that show Facebook is making a serious effort to protect users data.

Now if they would just give us more ability to protect it ourselves.

Monday, February 8, 2010

$50,000 for lost hard drive - almost wish I knew where it is.

$50,000. According to Government Technology, that's what the National Archives and Records Administration values a hard drive with personal information of Clinton era staffers - and one of Al Gore's daughters. So far over 175,000 letters have been sent out to people who may be affected by the lost data. With that much data missing, I don't think I'd want to admit I knew where the drive is. I'd forget the reward and leave the drive on the Whitehouse steps with a note, "Sorry, my bad, won't happen again." Better yet, do a 7 or more pass overwrite, drill holes in the drive, and throw it off a bridge. They still have the original data, so why risk getting arrested turning it back in?

Sunday, February 7, 2010

Punk'd, Facebook style

A few students at the University of Lethbridge, Canada decided to see how easy it was to create a bogus Facebook account and fool people with it. Valerie Fortney of the Calgary Herald reported her story, U of L Facebook prank a lesson in privacy. She quickly pointed out that Facebook is used for many good things before moving on to the point of the story.

But there is a dark side to Facebook, and that is what prompted the students to try their little experiment - apparently as part of a class, but it's never explicitly stated. It was an eye opener. In 24 hours the 'girl' was getting asked out, and having chats with people - some of them involving personal information. In 48 hours, fearful of what could happen if it went on too long, deleted the account. They then went to their class and revealed what they had done. I agree with Ms. Fortney, who says she would have paid money to be there.

Could a similar thing be automated? U of L professor Mary Dyck, an expert on cyberbullying, feels sure that it is already being done. Do you have any friends who are really computers?

At the end of the article, the author notices that an ad on her Facebook page was targeting "48 year old women" who wanted to test Ugg boots. It seems that 2 weeks earlier she'd been checking out Ugg boots on eBay. But she'd never mentioned that, or her age, on Facebook.

This will be my last Sunday post. Starting tomorrow I will post 5 days a week, Monday thru Friday.

Saturday, February 6, 2010

Facebook page = expel

Frustration can be very motivating. From the Miami Herald we learn that motivation without careful direction can be dangerous.

Alex Fuentes was frustrated because he was going to graduate with honors from a low ranked school in Florida, so he made a Facebook page. When the school found out about it, he was booted from the National Honor Society. Alex had taken a pledge to show loyalty to his school, and they felt naming a Facebook page, "Wesley Chapel High = Fail" did not qualify as a display of loyalty. Especially when it becomes an online hangout where students criticize the school.

I think the teachers on the NHS board over reacted. Giving other students a place to voice their frustration with their school could be a good thing, and I would have encouraged Alex to use that argument with them. But he apparently found moving to another school a better option, even though he was a senior with only a few months before graduation. So he gets to be another example of why you should be very careful of what you do online, especially on Facebook.

Starting Monday I will be posting 5 days a week, Monday thru Friday. Thanks for reading.

Friday, February 5, 2010

Should LEDA sue PlainsCapital?

It's amazing how much bad publicity one little lawsuit can generate. And PlainsCapital, formerly of Lubbock, has managed to put it's foot in it good. If I was in investor I would be seriously questioning the leadership of the company right now. And if I were part of the Lubbock Economic Development Alliance I would be looking at damage control for Lubbock's reputation.

From the Denver Post: Lewis: Firm sued for being robbed

Why would I be looking at damage control? Because some of the authors of national stories about PlainsCapital suing Hillary Machinery don't know that PlainsCapital is now based in Dallas. So  the stories talk about Lubbock based PlainsCapital, and proceed to make PlainsCapital - and Lubbock - look like a bunch of ignorant hicks.

ComputerWorld: Bank sues victim of $800,000 cybertheft

Of course, unless they had security measures in place that they aren't mentioning and someone just messed up, PlainsCapital acted like ignorant hicks, then acted more ignorant by trying to sue for vindication. I said it in the comments of my original post on this subject that email is not a secure verification method, and that point is being made by other observers. It's not like an expensive, high tech solution was needed. A simple requirement that no transfers be made without a phone call to verify they're legit would have prevented this.

From the codetechnology blog: Authentication issue at heart of lawsuit

So what would LEDA sue PlainsCapital for? Or maybe it should be the City of Lubbock suing them? I'm thinking defamation of character, damage to their brand, brand dillution...shoot, I don't know, but surely there's some stupid lawsuit they can hit them with that won't be as stupid as PlainsCapitals suit against Hillary.

From Texas Bank Sues Customer After $800,000 Scam

And a few more just because four stories don't demonstrate how widely this is being reported:

From Foxnews: A video clip

From Dallas Morning News: PlainsCapital suing customer Hillary Machinery over cybersecurity

From the e-business blog: Cybertheft victim gets sued by bank

From Techdirt: Bank Sues Identity Fraud Victim After $800,000 Removed From Its Account

And from the forums at We were cyber attacked/robbed...

Enjoy your weekend.

Thursday, February 4, 2010

Anatomy of a Craigslist scam

Our van went belly up a couple weeks ago, and we need another one. A friend sent me a link to a van for sale on Craigslist for $300.  Here is the listing:


- 106,970 MILES
- 3.8 LITER V6


What makes this a classic scam is the appeal to our greed, in this case our desire to get something really good for as close to nothing as we can manage. Looking at the listing again, there was an obvious clue this was bogus from the start: 1996 Chrysler vans didn't have fold in the floor 2nd row seats. I know this because the van that died was a loaded 1998 Caravan. But not noticing that, this was still obviously too good to be true. It was probably a typo, though, so I checked it out. I clicked on the email address and sent a query. Shortly I received this email:

[caption id="attachment_875" align="alignnone" width="500" caption="Odd name for a personal website..."]Odd name for a personal website...[/caption]

The URL seems a little odd for a personal website, but I'll check it out...

[caption id="attachment_878" align="alignnone" width="500" caption="Appears to be a graphic, except for the phone entry fields"]Appears to be a graphic, except for the phone entry...[/caption]

Here's where the warning bells become intolerable. Some of this may be my own paranoia, but...

  • He's holding a raffle to see who gets to look at his van?

  • He's using a graphic for text - classic scam move. It's a lot more work than simply typing the text in - unless you're creating a bunch of ads. Then it's easier to create one document to upload instead of two or three (text and art)

  • He's using the Craigslists automated phone system to set this up? If he really works for them, he's fired.

  • He wants me to give him my phone number so Craigslists APS can text me?

  • I can give him as many textable numbers as I want to, he doesn't mind.

I checked the page source, and the only thing the page did is make sure you actually put something in the fields. It didn't check what you put in, just that the fields weren't empty. so I entered u, u, u. It worked. It sent me to a 5 second countdown page, which I think was setting up a hotmail account to email my phone number to. It then sent me here:

[caption id="attachment_885" align="alignnone" width="500" caption="Same page, but single code entry field now."]Same page except for single text field[/caption]

Just the blank field I'm supposed to wait and fill in when I get texted. The other hole in the blue is some of the 'text' that has a bit of cloudiness around it. That's a visual clue it's an image file, not actual text.

I look at the pagesource on this page and find a couple of interesting tidbits. There is a hotmail address and a password that I think are auto-generated every time someone enters data into the fields on the previous page. I'm pretty sure that's the case because the hotmail account is different every time. Yes, I clicked on it several times. Was that smart? Not really. I'm as protected as I can be, but there's no guarantee the doesn't have something new on his site that could compromise my computer.

Am I being paranoid? Craigslist didn't think so. By the time my friend saw the ad and told me, it had already been pulled off the site. It still showed up as a result in searches, but when you tried to go to it a page saying the ad had been marked for deletion popped up.

So what was he trying to accomplish? At first I thought he was just generating phone lists to sell. After all, all he asked for was a phone number. Then I realized what he really wanted was numbers to cell phones. SMS messaging capable cell phones that he could send simple little, "your code is: xxxxx" sms messages - at 9.99 per message. If the ad appeared in 10 cities long enough to get 1000 valid, textable numbers in each city that would be roughly $100,000 to the conman. Not a bad morning for a crook.

UPDATE: Once I was someplace I could log into hotmail, I went through the process again and tried the hotmail account and password that were on the page. Not only did it create a hotmail account, there was an email from Craigslist - it had created a new account on Craigslist. I imagine it also placed more ads. I'm bordering legality here (the scammer sent me the account info in the source code of the page), so I'm not going any further, but I suspect that the account on craigslist may have the same username and password as the hotmail account. Of course, this is all automated, so it doesn't have to be the same.

Wednesday, February 3, 2010

Facebook: Help Haiti gag and more

It's amazing the things people will do on Facebook. For some reason they think that, even though everyone they friend (and most people they don't) can see their posts, the posts are private. Here are a few examples:

A story in the Register today shows us that the Swedes are a generous people - and every bit as gullible as any other nationality. Swedes joining the group "2 kronor per member to earthquake victims in Haiti" expected 2 kronor to be donated to Haiti relief when membership reached 200,000. Imagine the surprise when, after 200,000 was reached, the group announed it was actually the Swedish Necropilia Association. The perpetrators of the hoax said they were wanting to get a good laugh and teach people about critically reviewing their sources. Since no one had to actually donate any money, I guess I can see the humor, and the lesson. But some of their material was reportedly pretty graphic, so I can't help but think someone's going to get into some kind of trouble over this.

AP writer Thomas Watkins tells us, "Use of Twitter, Facebook rising among gang members." That may be a good thing. It's enabling the capture of more violent criminals as they put incriminating evidence up on the social media sites.

A teen drinker, Ashley M. Sullivan, was about to be sentenced as a minor for the negligent homicide of her boyfriend while driving under the influence. The the judge saw a picture of a drunk Sullivan on her Facebook page. He sentenced her as an adult.

Three Illinois high school students were suspended for their Facebook videos. Other students reported the videos because they were frightened by them.

Tuesday, February 2, 2010

GAO to TSA: Test those scanners first!

In a report by Jaikumar Vijayan on we learn that the Government Accountability Office (GAO) has told the TSA to make sure they properly test the full body scanners they are trying to deploy. The GAO reminds the TSA that another technology, Explosive Trace Portals, was rushed to deployment, and performed so abysmally that only about 1/2 the units purchased were installed, and by the end of 2009 all but 9 were out of service. Those 9 will be gone by the end of the year.

The GAO says that the TSA had not tested the full body scanners by October 2009, but claims to have finished testing by the end of that year. The problem, according to the GAO, is there is no verification that real world tests, ie tests trying to fool or bypass the scanners, were done.

Without such tests - carried out with a sincere desire to get past the scanners - there is no guarantee that the scanners are effective. It's easy to find something carelessly hidden. It's another thing to catch something carefully hidden by someone with a good idea of how to hide it.

If some of the things I've read are correct, as little as a millimeter of skin will keep  these scanners from finding something. Having the amount of skin necessary for a bomb pulled up and sewn down over high explosives doesn't seem very attractive, but we're talking about people who are not expecting to be in one piece for much longer when this is done. Of course, there are less violent ways to hide a bomb inside the body. People smuggle drugs that way all the time.

This really comes down to a cost benefit analysis. The cost of the methods required to get around full body scanners - apparently very low. The cost of the scanners? A very high $130,000 to $170,000 each. Unless the TSA can show the scanners can effectively reduce terrorist attempts, the cost outweighs the benefit. From the information available now, that seems unlikely.

Monday, February 1, 2010

Lifestyles of the rich and famous

KABC-TV in Los Angeles ran a story Friday about an actress who was fighting city hall over the height of her privacy gate. Three years ago a stalker started sending letters to actress Eva La Rue that were frighteningly detailed. She responded by having her gate and columns made taller, among other things.  She started the work without permits, but later got a variance and went on with her life.

Then a neighbor complained, and the variance was overturned. Le Rue appealed, and her private address became part of public court records. She received a letter from the old stalker saying, "I know where you live now."

The neighbors complain that the height is not allowed by city ordinance (La Rue was given a variance) and they like the opennes of their neighberhood.

La Rue has had to move out of her house because of the stalker.

Is it right that these people endanger the life of anyone, because they want to be able to see into her yard? NO!!!

It's too late now. The cats out and Miss La Rue is out a house. The nosy neighbors should have to buy her house at fair market, splitting the cost between them.

Maybe they could rent it to the stalker.